Open In App

Lynis – Security Tool for Audit and Hardening Linux Systems

Improve
Improve
Like Article
Like
Save
Share
Report

Lynis is an open-source security auditing tool for UNIX derivatives like Linux, Mac OS, BSD, other Unix-based operating systems etc. Performing extensive health scan of systems that support System Hardening and Compliance Testing. An open-source software with GPL License. This tool also scans for general system information, vulnerable software packages, and configuration issues. It is useful for System Administrators, Auditors, Security Professionals. 

How Lynis Tool Works?

Lynis scanning is modular and opportunistic, it is used to test components like available system tools and their libraries. The advantage of Lynis tool is there is no additional installations of tools are required so systems are clean. The more components discovered, the more extensive the audit will be. Using this method, Lynis can run with no dependencies.  

Lynis Tool Installation:

Lynis is light-weight and most users install Lynis using a package that would require more time to install. There are various ways to install Lynis,

  • Clone via GitHub
  • OS Package Install
  • Source Install
  • Tarball
  • Homebrew
  • BSD ports

UNIX Distributions like Debian, Distro, Ubuntu, Mint, Fedora, Suse, OpenSUSE, Arch Linux, Manjaro etc. have Lynis Package by default. With this, it becomes easy for us to install them from the distribution repository using the package manager. 

Install Lynis with Software Package or OS Package:

While installing Lynis using software package is installed by default, so we can install it using the following commands on various UNIX Distributions. 

Installing Lynis on Ubuntu/Debian/LinuxMint

sudo apt-get install lynis

Lynis Security Tool for Audit and Hardening Linux Systems

Installing Lynis on RHEL/CentOS

$ sudo yum install lynis

Installing Lynis on Fedora

$ sudo dnf install lynis

Installing Lynis on openSUSE

$ sudo zypper install lynis

Installing Lynis on Arch Linux based system

$ sudo pacman -S lynis

Installing Lynis on BSD ports

$ cd /usr/ports/lynis/security
$ make install

Install Lynis via Git Clone

Clone or download the project files from GitHub(Compilation or installation is required). After Lynis is installed or cloning the repository, the main tools are in a file called lynis. A shell script, which when opened we can read what the tool actually does. Lynis is implemented using shell scripts.

$ git clone https://github.com/CISOfy/lynis
$ cd lynis 
$ ls

Lynis Security Tool for Audit and Hardening Linux Systems

How to Run Lynis:

To check view all the commands available in Lynis we can execute the following,

$ ./lynis show

Lynis Security Tool for Audit and Hardening Linux Systems

We can now use Lynis to perform security audits on our system. We can view the list of commands to execute with the help of Lynis. Use the following command to list the number of commands to execute,

$ ./lynis show commands

Lynis Security Tool for Audit and Hardening Linux Systems

Before performing an audit make sure you are in the right directory and add “./” before lynis. Lynis is run without pre-configuration, we can run lynis in both privileged and non-privileged mode (pentest). There are tests that require root privileges so these are skipped. Run audit in privileged mode run the command,

$ ./lynis audit system

Note: Adding –quick parameter will enable lynis to run without pauses and will enable us to work on other things simultaneously while it scans. 

$ ./lynis audit system --quick

After authentication, Lynis will run tests and check through results. Lynis will perform audits and there is a number of tests performed all these are divided into categories. After every audit test results debug information and suggestions are provided for hardening the system. More detailed information is stored in /var/log/lynis/log, while the data report is stored in /var/log/lynis-report.data. 

Exploring the Reports:

Lynis performs in-depth audit and reports the results in the followings ways:

Screen Output: It scans the system and performs many tests. Possible test results include,

  • OK or WARNING
  • FOUND or NOT FOUND
  • WEAK
  • NONE or DONE

Log File: Results displayed on-screen during the scan and additional details are logged in a log file. Information in a log file

  • Times of action/event
  • Reason(s) why a test failed or skipped
  • Output of (internal) tests
  • Suggestions about configuration options
  • Threat/impact score

Remark: Log file is logged after every scan. To debug or log information relating to previous scans, schedule log rotation before running lynis again.

Report Files: Lynis gathered findings and other data points which are stored in the report file in a default file. The report file is used to compare scans from the past with the current scan. Contents of the report file:

  • Remarks = #<remark>
  • Section = [<section name>]
  • Option/value = <option name> = <value of option>

Report Data contains information about the server and the application which is stored in the log file. Log File is overwritten on each audit. 

Lynis gives out complete information about the Current System OS, OS version, Hardware running on a Linux machine. Debian Plugins are scanned and generate details on package installations.

Lynis Security Tool for Audit and Hardening Linux Systems

Debian Tests are also scanned which gives out more information on system installations. It also displays warnings for Debian plugins and listings of software installations if they have been installed on the system or not. Debian plugin checks for system binaries required by Debian tests.

Lynis Security Tool for Audit and Hardening Linux Systems

System Boot and Services are scanned and show booting and service issues present in the system.

Lynis Security Tool for Audit and Hardening Linux Systems

Boot and Services

Printers and Spools to check results of typical Lynis audit, there are two tests under this category. Check cupsd status and related configuration files. lpd status, qdaemon printer spooler status.

Software: firewalls Checking the iptables kernel module, used policies of iptables chains. Also verify software firewalls like CSF, UCF, etc. It checks the configuration of firewalls and local services, it collects data for further analysis. 

Lynis Security Tool for Audit and Hardening Linux Systems

Insecure Services here inetd is not found, the test is tagged on Lynis as it shouldn’t be performing as part of an audit on your server. Scanning inet daemon status and checks configuration file when it’s disabled.

Lynis Security Tool for Audit and Hardening Linux Systems

SSH Support Scanning SSH daemon status and other tweaks of SSH on /etc/ssh/sshd_config for secure login. 

SNMP Support Checking SNMP daemon is running, daemon file location, SNMP communications. 

Databases Checking installed databases like MySQL, PostgreSQL, Oracle, DB2 & Redis and related processes, configuration files.

LDAP Services Checking OpenLDAP instance is running or not and its configuration file.

Lynis Security Tool for Audit and Hardening Linux Systems

Lynis has color-coding:

  • Green: which means everything works fine or is disabled
  • yellow: Skipped, NOT FOUND, might have a suggestion
  • Red: It shows that the particular test or scan is unsafe or needs more attention.

In Kernel Scanning run level, CPU support, kernel version, kernel type, /etc/inittab & loaded kernel modules.

Lynis Security Tool for Audit and Hardening Linux Systems

Memory and Processes Scan memory information from /proc/meminfo, dead processes & IO processes.

Lynis Security Tool for Audit and Hardening Linux Systems

Kernel Hardening it has many tunable settings which define kernel functions and some tunables have security context. Distro may not set it by default and examination is required for each scan. the value keeps changing based on security posture. Scan sysctl key pairs with profile to verify the kernel parameters hardening.

Lynis Security Tool for Audit and Hardening Linux Systems

Users, groups and Authentication Scanning admin accounts, UIDs, GIDs, /etc/passwd, sudoers & PAM files, password aging, single-user mode, failed login & umask.

Lynis Security Tool for Audit and Hardening Linux Systems

Shells Scanning available shells and checking whether it’s vulnerable.

Lynis Security Tool for Audit and Hardening Linux Systems

File System Scans available mount points and check if mounted separately or mounted on / file system. Also checking the mount point flags and added properly. fstab file, swap partition, /proc, /tmp and /tmp sticky bit.

Lynis Security Tool for Audit and Hardening Linux Systems

  • Storage  Scanning, if USB storage is disabled, checking USB device authorization. Also, check if firewire storage is disabled.
  • NFS Scanning NFS information like rpcinfo registered programs, NFS registered versions, NFS registered protocols, and NFS daemon running.

Lynis Security Tool for Audit and Hardening Linux Systems

Ports and packages scanning package manager, if it’s found the package manager (rpm, deb, etc) then it will query the list of installed packages and check package vulnerability, package updates. Finally, checks GPG signature for package security.

Lynis Security Tool for Audit and Hardening Linux Systems

Networking Scan IPv6 enabled or not, name server configuration test, search available network interfaces, MAC addresses, network IP addresses, DHCP status.

Lynis Security Tool for Audit and Hardening Linux Systems

Logging and files Scan whether syslog daemon is running or not and its configuration files.

Lynis Security Tool for Audit and Hardening Linux Systems

  • Banners and identification Scans copyright banner files, check issue banner file & contents & check issue.net banner file & its contents.
  • Scheduled tasks Scanning cron daemon stats then it will check cronjob/crontab lists.
  • Accounting Scanning accounting software information and it’s configuration files.

Lynis Security Tool for Audit and Hardening Linux Systems

Security frameworks Scanning AppArmor, SELinux, grsecurity are enabled. If yes, it will check the daemon status & presence.

  • File Integrity Checking file integrity to all the files.
  • System tooling Checking system automation tools, fail2ban, IDS/IPS, etc.
  • Malware Scanning malware related tools like chkrootkit, Rootkit Hunter, LMD & clamscan.

File Permissions scanning in this for all kind of file permissions

Scanning in phase 2 plugins is a test based on installed plugins and to install a plugin for lynis then add /etc/lynis/plugins directory. After the scanning is finished Warnings and Suggestions details are improvised for us to improve the security of the system and also to rectify any issues that are there in the system. 

Lynis Security Tool for Audit and Hardening Linux Systems

Here security scan details are displayed, the report includes findings and general information like a number of security tests performed. The location of the log file and report data is also displayed. 

Lynis gives an option to get detailed information about every suggestion, it is accessed using the show details command followed by test ID number. Here, we made use of one suggestion listed among 50 suggestions,

$ ./lynis show details PHP-2376

Lynis Hardening Index is a unique index to Lynis which gives the auditor an idea of how well a system is hardened. The number is an indicator of measures taken.  

To implement security safeguards firstly determine the findings present in the system and apply all the measures or suggestions given after scanning. Hardening Lynis and Unix Systems are essential to get security inline with security policies. 

The alternative to increasing Lynis Hardening Index is determining what tests are too strict for the role of a particular machine. The tests can be disabled in the scan profile, resulting in the test being skipped. Using this, the hardening rating for those particular tests is skipped and a different score. 

Run Lynis as Custom Tests

To scan a particular test we have to list out the Test IDs. If the server doesn’t run web server there is no need to test. Use tests parameter to list a number of tests in lynis.

$ lynis show tests

Lynis Security Tool for Audit and Hardening Linux Systems

Check a particular test using the following command followed by test ID

$ lynis show tests ACCT-9626
$ lynis show tests TOOL-5190 

To know the updated details of the Lynis tool and see if the tool is in the latest version, run update info to get all the details relating to Lynis Tool.

$ ./lynis update info

To get more Test-IDs we find them inside the default log file /var/log/lynis.log

If you don’t get the desired result using the above logfile then run lynis with -c (check-all) parameter. To look inside the log file we use cat command and combine with grep then a list of all Test-IDs present in the log file is displayed.

$ cat /var/log/lynis.log | grep KRNL
/*Another method can be using command*/
$ ./lynis -c -Q

To run check uptime of system and checking core dumps configuration tests if you want to add more tests add Test-ID separated by space.

$ ./lynis --tests "BOOT-5202 KRNL-5820"

Run Lynis with Categories:

Use –test-from-category parameter if Test-IDs is huge to deal with, Lynis runs Test-IDs that includes inside every category. Run Firewall and Kernel tests using the following command,

$ ./lynis --tests-from-category "firewalls"

Run Lynis as Cronjob:

Automating lynis to run periodically and check for improvements since the previous lynis scan. To perform Cronjob using lynis then run it every month. It is important to create these related paths in script /usr/local/lynis and /var/log/lynis. 

To save the paths in script execute the following command,

# script is saved in text.sh and script is given below.
# You can use any editor to save the script, here editor used is Vim.
$ vim text.sh
#inside vim enter command
touch /root/Desktop/file.txt
$ chmod u+x text.sh
# this command is to execute cronjob monthly or anytime we schedule it to.
$ #!/bin/sh
 AUDITOR="AUROMATED" DATE=$(date+%Y%m%d) 
 HOST=$(hostname) LOG_DIR="/var/log/lynis"
 REPORT="$LOG_DIR/report-${HOST}.${DATE}" DATA ="$LOG_DIR/report-data-${HOST}.${DATE}.txt"
 cd /usr/local/lynis
 ./lynis -c -auditor "${AUDITOR}" --cronjob > ${REPORT}
 mv /var/log/lynis-report.dat ${DATA}
 #End
$ lynis audit system --auditor "${AUDITOR}" --cronjob > ${REPORT}
# Move or save file to:
[-f /ar/log/lynis-report.dat ] then 
mv /var/log/lynis-report.dat ${DATA}
fi

Check Version of Lynis

The version of Lynis is basically it’ll display the version number the Tool is in. Checking the version of Lynis tool will help you know if the tool in the latest version or not.

$ ./lynis --version



Last Updated : 28 Feb, 2022
Like Article
Save Article
Previous
Next
Share your thoughts in the comments
Similar Reads